David Krantz writes:
It might be that no support really is needed in mailman so that just milters in sendmail, postfix etc. might do the trick.
MTA features are the way to go in principle. First, Mailman can't check SPF because it doesn't have access to the connection. Second, the MTA needs access to private keys for signing DKIM and so on. Mailman 3 is definitely insecure against attacks from localhost. Third, MTAs need to access DNS; Mailman shouldn't need to (this is necessary for all of the various protocols to get public keys). I don't know how big the problem really is from experience, but I can say that the representatives of the big sites at IETF worry a lot about the burden of these checks on the DNS. Finally, in some domains there are multiple Mailman administrators behind one MTA, and the Mailman admins can't manipulate DNS or access private keys.
There have been a couple of ARC modules contributed; there's a lot of code to review, and probably still some configuration magic to be added to the core given that I don't think it should default on. Maybe the thing to do is release an add-on for the people who have access to the configuration files of their installation (the actual configuration interface is adding a rule to the chains to check ARC stuff, and a handler to the pipeline to do the signing).
Steve